General Data Protection Regulation (GDPR) and US Companies

What is GDPR?

The General Data Protection Regulation better known as GDPR is Europe's new framework for data protection laws. These new privacy and security laws have been designed to give European Union (EU) citizens more control over their data. GDPR modernizes laws and obligations across Europe in this internet-connected age. The GDPR further defines the protection of personal data as a fundamental right.

Who does the GDPR protect? It protects any natural person that resides in the EU.

What data does GDPR protect? GDPR protects Personal Data as well as Sensitive Personal Data. Personal data Is anything that allows a natural person to be identified. This may be any of the following:

Names

Addresses

Birth dates

IP addresses

Email addresses

Bank details

Medical information

Automated Personal Data

Pseudonymized data

GDPR considers Sensitive Personal Data as being in special categories. These include:

Trade Union membership

Religious beliefs

Political opinions

Racial information

Sexual Orientation

Key Changes organizations need to keep in mind:

Privacy-by-design – data protection must be built into your business processes and systems from the start and provided by default

Data Retention – Personal data should be kept only as long as it is necessary. It must be securely destroyed

Right to be forgotten – Users can ask for their data to be deleted. They may also ask to have their data transferred to a third party.

Mandatory breach notification – Any breaches must be reported to Supervisory Authorities within 72 hours.

Penalties for non-compliance – up to 20,000,000 Euros ($23,138,200) or 4% of the company’s annual global turnover whichever is greater.

Does the GDPR apply to US Companies?

The simple answer is yes. The internet is border-less. Data moves across traditional national borders with ease. GDPR applies to any company that offers goods or services to customers or businesses that reside in the European Union (EU). If the US company controls or processes data, of any person or business in the EU, GDPR applies.

A Controller is an entity that decides the purpose and manner that personal data is used or will be used. If your company collects personal data of any person or business in the EU, you are considered a Controller.

A Processor is the person or group that processes the data on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data.

GDPR Requirements for US Companies

Ensure data is only collected when legal

Obtain consent before data is collected, stored or processed

Obtain consent from parents or legal guardians before children’s data is collected or processed

Implement controls to ensure Confidentiality

Train employees on the correct handling of personal data.

Ensure EU citizens’ right to be forgotten can be honored and that it is possible to permanently erase all collected data.

Ensure EU citizens are informed about how their data will be collected and used

Make sure across border data transfers are GDPR compliant

Implement data breach notification policies

It may also be necessary for organizations to appoint a Data Protection Officer

What Do US Companies Need to Do Now to Ensure Compliance with GDPR?

Determine what type of data you collect and or process

Determine if you need a Data Protection Officer

Develop consent forms

Ensure you can detect, respond and report data breaches

Make sure your Privacy Practices meet GDPR standards

Make sure any business associates and subcontractors are aware of GDPR Requirements

Check your data retention policy, is it GDPR compliant?

As of 25 May 2018, all organizations are expected to be compliant with GDPR.

If you are unsure how GDPR affects your business or don't know where to start with GDPR compliance, it is strongly advisable to seek advice from compliance experts. Beringer Technology Group is always here to provide expert knowledge on topics like these. Contact us with any questions you may have.